Pages

Wednesday, 31 July 2013

While on the plane to Vegas, I looked at a number of ASP.NET MVC apps (ping me if you know of other good ones to look at (with publicly available source code)).

I was trying to find one that had good examples of MVC ModelBinding Vulnerabilities (aka overposting), in a real-world-kinda-way (I have found tons of MVC ModelBinding Vulnerability examples which usually get dismissed with a 'that is not the recommended way to code MVC controllers').

So I think I found a great example (of what not to do) on the Contoso University sample.

So after an 18h flight (with stopover in Toronto) I made it to Las Vegas. It was a really productive flight and I was finally able to spend some time focus on really learning how the ASP.NET MVC actually works.

I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of all ASP.NET MVC books I have) on 'mentioning' security. Unfortunately, on the ModelBinding vulnerabilities (aka over-posting), there is very little to alert the reader for the dangers of MVC's ModelBinding.

Tuesday, 30 July 2013

Since the BlackHat and DefCon networks are getting more and more dangerous/compromised (and SSL doesn't mean much these days), this year, I'm going to try to be more careful with my interweb and account's activities.

So:

I'm only taking 1 Mac Laptop which has a clean install of OSx (+ Fusion with clean window's installs), which will use this for research on the presentation I'm doing at DefCon (on Sunday)

I'm not taking my real phone (I'm going to try to get a SIM cart in the US which hopefully will work on a unblocked and factory-reset iPhone 4)

I'm not going to check my OWASP and SI emails while there, and am only going to use the temporary diniscruz_defcon@outlook.com account (I also have an temp GitHub, twitter and blogger accounts)

So if you want to reach me, the best way is via the diniscruz_defcon@outlook.com (which I will check regularly, but will expect to be a little-bit compromised)

Any other ideas?

For the ones that are going, what other security measures are you taking?

And although it looks like the app is NOT vulnerable to MVC Model injections, that is mainly because there are very few controllers that use ModelBinding (i.e. that Design Pattern was not used (which ironically is my main recommendation to deal with MVC ModelBinding Vulnerabilities: don't use Model Binding :) )).

Using DotNet_ANSA (see end of post for more info about this tool) I was able to show a number of security issues that exist with Azure Websites

BUT (Important disclaimer):

I was not able to see data from other Azure websites hosted on the same server (since I was limited by the IIS user account used)

This happens because of running .NET code under Full Trust (which is the default in most ASP.NET apps, since partial trust is dead now)

Although this is nothing new, I was surprised by the number of ASP.NET Azure specialists that were not aware that it was possible to (for example) browse files/folders outside the allocated folder and start new processes on the azure server

These are ‘Security Issues’ and ‘Areas of concern’ for Azure (and other) deployed websites.

These are not ‘Security Vulnerabilities’ since they happen by ‘design’

The key is to make sure that all parties understand that this is possible (namely remove process execution on cloud/hosted services)

I didn’t upload any exploits or metasploit-like tools (since that would be pushing my Azure testing a bit too far), but as far as I can see, they should work

I didn't spent a lot of time on this, and there are a number of other research areas that should be pursued

Wednesday, 17 July 2013

This post contains an example of a serious security vulnerability that is common on ASP.NET MVC applications.

There are two versions of a Model Binder (CartModelBinder) class shown below, one or both are vulnerable.

Your job is to find out how to exploit them :)

Ideally you should provide your answer/results/proof using UnitTests :)

Note 1: The vulnerability shown in this post is a variation of real-world vulnerability that I helped to find a couple weeks ago (on an UK-based financial services company).

Note 2: I’m yet to to look/review/see a large MVC application that doesn’t have similar vulnerabilities (on both ASP.NET MVC or Spring MVC)Note 3: the code is from the http://sportsstoremvc3.codeplex.com/ sample application, which is used as an ‘real-world application’ example by the Pro ASP.NET MVC 4 book (the code was compiled using .NET 4.0 and executed using the ASP.NET MVC 3.0 and ASP.NET MVC 4.0 versions).